The Net's Real Security Problem

SAM OGDEN/CSAIL MIT
Even casually savvy computer users these days know to beware of security threats on the Internet. They know that the online universe is acrawl with computer viruses, worms, Trojan horses and other malicious bits of code, and if they are prudent, they have equipped their computers with up-to-date anti-virus and firewall software for repelling these invaders. They are leery of unsolicited e-mail attachments, and careful about the web sites they visit. They have probably heard about (or experienced) "denial of service" attacks in which malicious hackers direct thousands of computers to bombard a company's servers with requests to shut them down. They probably even know not to fall for "phishing" scams in which hyperlinks take users to phony sites posing as legitimate banks and credit card companies for the purpose of stealing passwords and account information.

What few in the public realize, however, is that the Internet is vulnerable to much deeper levels of fraud-ones that exploit fundamental security gaps in the network protocols themselves. These attacks, often called "pharming," are all but impossible for individuals to guard against or even detect. They represent a growing threat to personal, corporate and national security that the federal government needs to address urgently.

Consider, for example, the defenselessness of the domain name system (DNS), the Internet's version of "411 information." When you type a "www."-style name into your browser software, the browser converts it into an IP address, a string of digits that is the equivalent of a phone number. It gets the IP address by contacting a local name server, typically operated by your Internet service provider. Unlike telephone numbers, however, which are often valid for several years, IP addresses change frequently and so the IP address comes with an expiration date, known as a "time to live" (or TTL). On the Internet, TTLs are typically measured in seconds, hours or days, even if the associated IP address does not change that often. If a local name server receives a request for an "expired" DNS name, it in turn queries a hierarchy of other servers, keying its request to two 16-bit identification codes-one for a transaction ID and one for a port number. Unfortunately, the port number is often predictable, and so it becomes possible for a cyberthief to produce a likely match to both codes by generating a relatively small number of answers (say 65,536).

The cyberthief can then ask the local name server for the IP address for XYZ Bank's home page and learn when it will expire. At the moment of expiration, he again asks for the bank's address and immediately sends out the 65,536 answers that list his own computer's IP address as that of the bank. Under the DNS protocol, the local name server simply accepts the first answer that matches its codes; it does not check where the answer came from, and it ignores any additional replies. Even though XYZ Bank's IP address has not really changed, the local name server still replaces the correct address with the hacker's address and communicates the false information to customers.

So if our hacker gets his answers in first, the local name server will direct customers seeking XYZ Bank to his computer. Assuming that the hacker runs a convincing imitation of the bank's sign-in page, customers will not realize that they are handing their confidential information over to a fake.

Similar flaws plague other Internet protocols, such as the Border Gateway Protocol (BGP), which governs the pathways followed by data packets on the Internet. They also affect the Dynamic Host Configuration Protocol (DHCP), which roaming computers utilize to find network resources when they connect in new locations. For example, suppose you are sitting in your favorite coffee shop and want to open a connection to the shop's wireless router. Your laptop broadcasts a query for the server to identify itself, and DHCP directs that your laptop will accept the first response it gets as legitimate. If a hacker sitting across the room can fire off a reply before the coffee shop's router does, your laptop will be joined to his. Everything will seem normal to you, but his computer can record all your communications and covertly direct you to malicious sites at will.